Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Install the Splunk Common Information Model Add-on

  1. Download the Common Information Model add-on from Splunkbase at https://apps.splunk.com/app/1621/.
  2. Review the indexes defined in CIM.
    1. The cim_summary index definition is deprecated, but is included for backwards compatibility with upgraded versions of Splunk Enterprise Security and the Splunk App for PCI Compliance.
    2. The cim_modactions index definition is used with the common action model alerts and auditing. Assign the appropriate Roles to search the index.
  3. Install the Splunk Common Information Model Add-on to your search heads only. Installing this add-on to indexers results in redundant data model acceleration overhead if acceleration is enabled.
    Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Next: See Set up the Splunk Common Information Model Add-on to perform optional configurations to improve performance.

PREVIOUS
Overview of the Splunk Common Information Model
  NEXT
Set up the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0


Comments

Thanks for the feedback! Investigation complete. Added the advice in the 4.11 documentation where the cim_summary goes from deprecated to removed.

Lkutch splunk, Splunker
December 6, 2018

Thanks for asking about this @Gabriel vasseur. I will open a ticket to investigate.

Abowman splunk, Splunker
November 19, 2018

It seems DUThibault's comment still hasn't been addressed in full. What happens to customers who have local indexes configuration to speficy a custom location for the data? For these, the current behaviour breaks upgrades to enterprise security (see case #1196979) and there is no advice on how to prevent/solve this.

Also, "This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12." <--- this cannot be true. Between 4.9.1 and 4.11.0 the cim_summary index (and I think modactions too) disappear, so all these versions are obviously not the same. Please update.

Gabriel vasseur
November 15, 2018

You are correct, @DUThibault. This sentence was an inaccurate holdover from a previous version of the documentation. I removed the sentence while I investigate whether there are still cases when you would want to remove indexes.conf or if there is a need to comment out the cim_summary stanza.

Smoir splunk, Splunker
November 29, 2017

"If you are not using this index definition, remove this default/indexes.conf before installation" seems to suggest one should delete the default/indexes.conf file from splunk-common-information-model-cim_###.tgz before installation. But this would remove not just the cim_summary configuration: it would remove the cim_modactions configuration as well. Shouldn't the suggestion rather be "If you are not using this index definition, remove the [cim_summary] section (or comment it out) from default/indexes.conf before installation"?

DUThibault
November 28, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters